Skip to content
This repository has been archived by the owner on Jan 12, 2025. It is now read-only.

araj - Malicious user can DoS honest BribeRewarder by creating MAX_BRIBES_PER_POOL with very small amount #88

Closed
sherlock-admin3 opened this issue Jul 15, 2024 · 0 comments
Closed

araj - Malicious user can DoS honest BribeRewarder by creating MAX_BRIBES_PER_POOL with very small amount #88

sherlock-admin3 opened this issue Jul 15, 2024 · 0 comments
Labels
Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label Medium A Medium severity issue. Reward A payout will be made for this issue

Comments

@sherlock-admin3
Copy link
Contributor

sherlock-admin3 commented Jul 15, 2024
edited by sherlock-admin4
Loading

araj

Medium

Malicious user can DoS honest BribeRewarder by creating MAX_BRIBES_PER_POOL with very small amount

Summary

Malicious user can DoS honest BribeRewarder by creating MAX_BRIBES_PER_POOL with very small amount

Vulnerability Detail

Voter.sol allow any user to create/register bribeRewarder for any pool and max bribe that can be created per votingPeriod per pool is 5 ie MAX_BRIBES_PER_POOL

 uint256 internal constant MAX_BRIBES_PER_POOL = 5;
function onRegister() external override {
...
        (address pool, uint256[] memory periods) = rewarder.getBribePeriods();
        for (uint256 i = 0; i < periods.length; ++i) {
            // TODO check if rewarder token + pool  is already registered

            require(periods[i] >= currentPeriodId, "wrong period");
       @>   require(_bribesPerPriod[periods[i]][pool].length + 1 <= Constants.MAX_BRIBES_PER_POOL, "too much bribes");
            _bribesPerPriod[periods[i]][pool].push(rewarder);
        }
    }

A malicious user can take advantage of this MAX_BRIBES_PER_POOL to create multiple(5) bribeRewarder for multiple votingPeriod for a specific pool which he wants to DoS with very little amount(amountPerPeriod)

//How this works:

  1. Suppose an honest user wanted to bribe for poolA to pass the minVotes or to attract voters
  2. Malicious user saw this and created 5 bibeRewarder for the same poolA & bribe it from currentVotingPeriod to till he wants to DoS with amountPerPeriod = 1 wei
  3. This will register the all 5 bribeRewarder to voter.sol contract( in _bribesPerPriod mapping)
  4. When honest user will try to register the real bribeRewarder, it will revert due to MAX_BRIBES_PER_POOL( see above code )

Note: All this can be done with very little amount ie as little as 5 wei( 5 bibeRewarder * 1 wei )

Impact

Honest pool can be DoSed with very little amount

Code Snippet

https://github.com/sherlock-audit/2024-06-magicsea/blob/main/magicsea-staking/src/libraries/Constants.sol#L17
https://github.com/sherlock-audit/2024-06-magicsea/blob/main/magicsea-staking/src/Voter.sol#L130C4-L144C6

Tool used

Manual Review

Recommendation

There are couple of ways:

  1. Set min amountPerPeriod in BribeRewarder that is required while bribing
  2. Charge min fee when a user register for BribeRewarder in Voter.sol

Duplicate of #190
@github-actions github-actions bot added duplicate Medium A Medium severity issue. labels Jul 21, 2024
@sherlock-admin2 sherlock-admin2 added the Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label label Jul 22, 2024
@sherlock-admin4 sherlock-admin4 changed the title Deep Rose Mandrill - Malicious user can DoS honest BribeRewarder by creating MAX_BRIBES_PER_POOL with very small amount araj - Malicious user can DoS honest BribeRewarder by creating MAX_BRIBES_PER_POOL with very small amount Jul 29, 2024
@sherlock-admin4 sherlock-admin4 added the Reward A payout will be made for this issue label Jul 29, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
Duplicate A valid issue that is a duplicate of an issue with `Has Duplicates` label Medium A Medium severity issue. Reward A payout will be made for this issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@sherlock-admin2 @sherlock-admin3 @sherlock-admin4